Exempla/PHP/PPP Concepts - Colorado Bar Association

Download Report

Transcript Exempla/PHP/PPP Concepts - Colorado Bar Association

Final HIPAA Omnibus Rule Highlights

Presented to the Colorado Bar Association, Health Law Section February 20, 2013

Emily Wey, Shareholder Polsinelli Shughart PC

Polsinelli Shughart PC In California, Polsinelli Shughart LLP

Polsinelli Shughart provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli Shughart is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2013 Polsinelli Shughart PC. In California, Polsinelli Shughart LLP.

Polsinelli Shughart is a registered mark of Polsinelli Shughart PC

2 © 2013 Polsinelli Shughart PC

Important Final Omnibus Rule Dates

• Publication Date: January 25, 2013 – www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

• Effective Date: March 26, 2013 • Compliance Date: September 23, 2013 • Business Associate Agreement Compliance Date: September 22, 2014 – For “grandfathered” BAAs 3 © 2013 Polsinelli Shughart PC

FINAL OMNIBUS RULE TOP 6  Many more entities are Business Associates  Business Associates are now directly subject to HIPAA in many regards  Breach notification standard is greatly changed  Marketing rules are updated  Individual rights are expanded, particularly with respect to ePHI and genetic information  Monetary penalties are tiered 4 © 2013 Polsinelli Shughart PC

POLICY RATIONALES

• 1996 Act and its regulations have been vastly outpaced by technology (ePHI transmission, genetic information) • One level of accountability (only Covered Entities) is not enough enforcement authority – legal/regulatory liability and contractual liability have all shifted downstream one level (

i.e.

Entities, subcontractors are like Business , Business Associates are now like Covered Associates) 5 © 2013 Polsinelli Shughart PC

BUSINESS ASSOCIATE CHANGES, Part 1 • Category of entities that will be considered Business Associates has been expanded to include: – Entities that transmit and need routine access to PHI (such as HIOs and E-Prescribing Gateways) – PHR/EHR vendors who serve Covered Entities – Subcontractors who create, receive, maintain, or transmit PHI for a Business Associate 6 © 2013 Polsinelli Shughart PC

BUSINESS ASSOCIATE CHANGES, Part 1 • Category of entities that are not included in new Business Associate definition are: – Health care provider who receives PHI from another provider for treatment – Plan sponsors, with respect to disclosures by Group Health Plans – Government agencies (determining eligibility) – OHCA participants – “Conduits” – transmission services w/

temporary

storage of PHI • Maintaining PHI (even without viewing) = BA 7 © 2013 Polsinelli Shughart PC

BUSINESS ASSOCIATE CHANGES, Part 2 • Business Associates are now directly liable, and subject to OCR enforcement, for: – Impermissible uses and disclosures of PHI and ePHI – Failure to comply with the Security Rule • Business Associates must have in place the same security measures as are required of Covered Entities – Failure to provide notification of breach to a Covered Entity 8 © 2013 Polsinelli Shughart PC

BUSINESS ASSOCIATE CHANGES, Part 2 • Business Associates are now directly liable, and subject to OCR enforcement, for: – Failure to provide access to PHI/ePHI to an individual – Failure to provide an accounting of disclosures (similar to current requirement) – Failure to enter into BAAs with downstream subcontractors – Failure to cooperate with HHS in any compliance investigation • Consider appointing Privacy Officer or person responsible for HIPAA compliance 9 © 2013 Polsinelli Shughart PC

ACTION ITEMS FOR POTENTIAL BUSINESS ASSOCIATES • Decide whether you are a Business Associate. If yes, then (by 9/23/13) … • Comply with the HIPAA Security Rule – Implement administrative, physical, and technical, and safeguards that protect the confidentiality, integrity and availability of ePHI – Implement policies and procedures regarding the same • Implement HIPAA Privacy Policies 10 © 2013 Polsinelli Shughart PC

Business Associate Action Items, cont’d • Implement Breach Notification Policies • Develop a Business Associate Agreement for downstream subcontractors • Be ready to provide access to PHI/ePHI • Comply with OCR/HHS Investigations

11 © 2013 Polsinelli Shughart PC

BREACH NOTIFICATION •

Old HIPAA Breach notification standard:

– the breach “poses a significant risk of financial, reputational, or other harm to the individual” •

New HIPAA Breach notification standard:

– Any unauthorized use or disclosure of PHI/ePHI that does not meet 1 of 3 exceptions is presumed to be a “breach” for which notice must occur, UNLESS the Covered Entity or Business Associate can demonstrate, through a risk assessment, that there is a “low probability that the PHI has been compromised” 12 © 2013 Polsinelli Shughart PC

BREACH NOTIFICATION, cont’d •

EXCEPTIONS TO DEFINITION OF BREACH

(1) Unintentional acquisition, access or use of PHI by a workforce member in the scope of duties – no further access or disclosure (2) Inadvertent disclosure from one authorized person to another within a CE/BA – no further access or disclosure (3) Disclosure of PHI where CE/BA has good faith belief that the recipient cannot retain the information 13 © 2013 Polsinelli Shughart PC

RISK ASSESSMENT STANDARD •

Factors that must be considered:

– Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification – The unauthorized person who used the protected health information or to whom the disclosure was made – Whether the PHI was actually acquired or viewed – The extent to which the risk to the protected health information has been mitigated 14 © 2013 Polsinelli Shughart PC

BREACH NOTIFICATION PRACTICALITIES • Encryption and destruction are the only two methods to secure PHI and make its disclosure exempt from notification requirements •

CE/BA can decide to notify WITHOUT conducting a risk assessment

• Notice to HHS (less than 500 records) has to occur within 60 days of the end of the year where breach was “discovered”, not “occurred” • Compliance required by September 23, 2013 – in the interim, comply with old standard • ACTION ITEMS: – Revise policies and procedures, BAAs – Train workforce 15 © 2013 Polsinelli Shughart PC

BREACH NOTIFICATION, cont’d •

MOST OTHER PRACTICALITIES OF BREACH NOTIFICATION PROVISIONS UNCHANGED

– Notice to media is not changed (large number of individuals) – Details of notification do not change – Reporting to HHS does not change, except for the year in which the reporting obligation falls 16 © 2013 Polsinelli Shughart PC

MARKETING RULES STRENGTHENED • Sale of PHI without authorization is prohibited – Exceptions for sale of business, public health • Marketing communications that are paid for by a 3 rd party (other than the Covered Entity) require authorization – Limited exceptions for refill reminders – Includes health-related product or service communications • Must provide individual with an easy way to stop fundraising communications 17 © 2013 Polsinelli Shughart PC

MARKETING REQUIREMENT EXCEPTIONS • No authorization needed for: – Treatment or health care operations activities done face-to-face, even if money exchanged – Communications regarding health in general – Communications about government-sponsored programs – Refill/drug communications, including communications about generics and adherence communications

ONE TAKEAWAY REGARDING CHANGES: REMUNERATION = AUTHORIZATION REQUIRED

18 © 2013 Polsinelli Shughart PC

INDIVIDUAL RIGHTS

• Individuals have a right to receive an electronic copy of their EHR/ePHI – Can direct the copy to go to third person • Individuals can restrict disclosures to health plans if paying cash for treatment/services – Doesn’t apply if check bounces – Discuss bundled and follow-up services – Patient must notify downstream providers • Family members/persons involved in care have access to records of deceased person • Forwarding of immunization records to schools • Genetic information is treated as PHI (GINA) 19 © 2013 Polsinelli Shughart PC

Individual Access to ePHI

• Clarifications for access to ePHI – Providers not required to give direct access to their systems – ePHI linked data must also be provided – Can provide hard copy and ePHI, if record is mixed – Don’t have to use an individual’s flash drive, etc. to provide the copies – Unencrypted email acceptable if individual waives risk of interception – 30 days to provide records – Charging of costs is acceptable: see state law, though 20 © 2013 Polsinelli Shughart PC

ACTION ITEMS: INDIVIDUAL RIGHTS

• •

Evaluate system ability to provide ePHI Revise Notice of Privacy Practices

– Right to receive electronic copy – Marketing/sale of PHI/psychotherapy notes: authorization required – Right to receive notice following a breach – PHI provided to family members after death – Restrict disclosures to health plan if cash paid for services (not applicable if check bounces) – Opt-out for fundraising – Health plans: no use of genetic information for underwriting •

Revise Policies and Procedures

21 © 2013 Polsinelli Shughart PC

Genetic Information Nondiscrimination Act (GINA) • Provisions prohibit use of genetic information for underwriting • Genetic information is: – Information about genetic tests of an individual or family member – Manifestation of a disease or disorder in an individual’s family members – Does not include age/sex – Genetic test includes DNA/RNA, but not analysis of proteins or metabolites related to a disease 22 © 2013 Polsinelli Shughart PC

TIERED CIVIL PENALTIES

VIOLATION CATEGORY EACH VIOLATION Did not know $100-$50,000 PER YEAR $1.5M

Reasonable cause $1000-$50,000 $1.5M

Willful neglect, corrected in 30 days $10,000-$50,000 Willful neglect, not corrected $50,000 $1.5M

$1.5M

23 © 2013 Polsinelli Shughart PC

PENALTY ASSESSMENT FACTORS

• •

HHS is not bound to impose the maximum penalty

, but will consider: – Nature and extent of the violation – Resulting harm (number of people, reputational harm) – Entity’s history of compliance or violations – Financial condition of the entity – Any other factors justice may require

REMEMBER

: intentional acts may be subject to separate criminal prosecution 24 © 2013 Polsinelli Shughart PC

FINAL ACTION ITEM LIST

• • • • • • •

CE

: Revise Notice of Privacy Practices

BA

: Comply with Privacy & Security Rules

CE/BA

: Identify Business Associates

CE/BA

: Revise and enter into new/amended Business Associate Agreements (2 different deadlines)

CE/BA

: Review any “remuneration” relationships involving PHI/ePHI

CE/BA

: Implement/revise HIPAA Policies and Procedures

CE/BA

: Train Workforce 25 © 2013 Polsinelli Shughart PC

© 2013 Polsinelli Shughart PC

QUESTIONS?

26

© 2013 Polsinelli Shughart PC Emily Wey [email protected]

, 303.583.8255

27